Hello.
We currently have the following setup with a client between our and their Cisco ASA:
We have policy based ipsec VPN between our and clients ASAs over the internet and we also have 'direct' L3 connection over ISPs provided MPLS link (perhaps the correct term would be MPLS VPN?) without ipsec VPN. Over the MPLS link we run single session BGP (only our ASAs are peering) where we advertise our internal IP 'B' /32 route to client and receive their internal IP 'A' /32 route.
The current setup works by preferring /32 BGP route to clients internal IP 'A' over the MPLS link for our initiated and returning traffic. When the MPLS link or BGP peering over it goes down, our ASAs default route 0.0.0.0/0 directs the traffic to internet which is then encrypted by the policy based ipsec VPN. Basically its a failover setup- MPLS link is preferred over VPN but when MPLS goes down, then VPN is used. We currently don't know the specifics of the clients config but it should be relatively same.
We are planning to replace our ASA with CP (R81.20) in this setup but since our client wants the same failover setup to continue then we need to figure out to somehow duplicate the same 'failover' config on CP. Luckily we've managed to negotiate with our client that we can build the the same but separate setup (in parallel to old setup) using CP on our side and use new internal IPs (for example 'C' on clients side and 'D' on our side) so when the 'new setup' is complete, we can just reconfigure our services and APIs to the said new internal IPs C and D.
I've already consulted with someone bit more experienced on Checkpoint and they say that the 'failover' from MPLS /32 BGP route to policy based VPN wouldn't work properly the same way on CP as it did on ASA and probably route based VPN with according static route to client IP 'C' needs to be used.
If, with the new setup, we have /32 static route pointing to the route based VPN and /32 BGP route to the same destination (to clients internal IP 'C') and according to Protocol rank , then for example if we lower the BGP route rank (default 170) lower than static route (default 60), then could the 'failover' work similarly as before?- meaning that BGP /32 route is preferred for our initiated and returning traffic to clients IP 'C' and when something happens to the MPLS link and/or BGP peering, the static /32 route to VPN takes over?
Or could it be easier to also just run BGP over the routed VPN? Also let me know if any other details are needed.
Sorry for the long text (no potato at the end this time) and since this is my first post started here and if I managed to ignore any good forum/posting practices then please don't swing anything too large and heavy at me 😅
| User | Count |
|---|---|
| 37 | |
| 27 | |
| 11 | |
| 10 | |
| 7 | |
| 7 | |
| 6 | |
| 5 | |
| 5 | |
| 4 |
Tue 10 Feb 2026 @ 03:00 PM (CET)
NIS2 Compliance in 2026: Tactical Tools to Assess, Secure, and ComplyTue 10 Feb 2026 @ 02:00 PM (EST)
Defending Hyperconnected AI-Driven Networks with Hybrid Mesh SecurityThu 12 Feb 2026 @ 05:00 PM (CET)
AI Security Masters Session 3: AI-Generated Malware - From Experimentation to Operational RealityFri 13 Feb 2026 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 43: Terugblik op de Check Point Sales Kick Off 2026Thu 19 Feb 2026 @ 03:00 PM (EST)
Americas Deep Dive: Check Point Management API Best PracticesTue 10 Feb 2026 @ 03:00 PM (CET)
NIS2 Compliance in 2026: Tactical Tools to Assess, Secure, and ComplyTue 10 Feb 2026 @ 02:00 PM (EST)
Defending Hyperconnected AI-Driven Networks with Hybrid Mesh SecurityFri 13 Feb 2026 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 43: Terugblik op de Check Point Sales Kick Off 2026Thu 19 Feb 2026 @ 03:00 PM (EST)
Americas Deep Dive: Check Point Management API Best Practices
